The debate over what constitutes a secure and smart password continues to rage on. In the past, we've told you some security experts contend that it is counter-productive to regularly change your password, and that strong, complex passwords are no better than short and simple ones. Now there's some new fuel for the fire: A phrase of easy to remember (but nonsensical) words might be better than a hard-to-remember string of letters, numbers, and symbols.
That's the thesis of a recent XKCD cartoon, which contends that:
Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.Here is the actual cartoon:
To be clear, XKCD is not making this up out of thin air, which should be obvious from the math that the cartoonist references in the strip. This assertion is based on established work, such as baekdal's blog post The Usability of Passwords.
There's a lot of math here which isn't especially interesting to anyone who doesn't geek out on conversations about informational entropy or statistical analysis. The bottom line is that a password made with, for example, four unrelated, random words (like "belong repeat right straw") is about as strong as a traditional password made from letters, numbers, and symbols, but is vastly easier to memorize, which will prevent it from being written down. Your password system doesn't allow spaces? Then insert dashes or some other symbol instead. That'll make the password even more secure.
If you are intrigued by this approach to passwords, you can use the XKCD Password Generator, which generates random but easily memorized passwords in the style of the XKCD strip.
More on BNET: